[DSE-Dev] Bug#739590: Bug#739590: selinux-policy-default: ssh & bind9 broken by removal of hotplug script initrc labelling
Laurent Bigonville
bigon at debian.org
Thu Feb 20 09:15:54 UTC 2014
Le Thu, 20 Feb 2014 00:28:43 -0800,
Devin Carraway <devin at debian.org> a écrit :
> Package: selinux-policy-default
> Version: 2:2.20140206-1
> Severity: important
>
> On a jessie system with refpolicy 2:2.20140206-1, and allow-hotplug
> set on the primary network interface, sshd is left running in udev_t,
> breaking it thoroughly (and in fact flooding the logs with socket
> errors until the machine runs out of disk). bind9, which also has a
> hotplug trigger script, is broken by inability of rndc to access auth
> keys.
>
> My guess as to why:
>
> Removal of the debian-specific refpolicy patches in rev
> 853ebfe7118c3984ff2b53f51af6f5758d222cd7 had the effect of returning
> the contents of /etc/network/if-{up,down}.d/ from initrc_exec_t to
> etc_t. As a result, on systems with allow-hotplug on their primary
> network interfaces the sshd and any other network-using daemons aware
> of hotplug will be started from udev rather than init, and with an
> etc_t startup script the usual domain transition doesn't happen.
>
> I'll test out restoring the labelling and see if there's more to this.
>
> Years ago, thus was Bug#503941 at least as it impacted bind.
Could you please attach the AVC denials to the bug.
Thanks!
Laurent Bigonville
More information about the SELinux-devel
mailing list